2

It has become common trend to use shell scripts from the web and directly run them:

bash <(curl -sL some.random.website.com)

I always view the script before running them. However, shell scripts are always more cryptic than reading a regular program. And yet, they are extremely powerful. They can do so much without the user even noticing.

I have always wondered if there are any tools to verify/scan such scripts.

Also, there have been anti-viruses for decades for verifying "closed-source" code, then how come there are so few/none to verify open-source code?

shivams
  • 221
  • 1
  • 5
  • A common trend to run bash commands like that? No wonder they say the world is going to end soon. Anyway, malware scanners don't care about open or closed source, they just check "signatures", whatever they mean by that (suspicious parts, behaviors, etc.) – reed May 05 '20 at 14:46
  • Yes @reed. Unfortunately, it is becoming common. Github is filled with such repositories. Many mature packages are also providing installation through such methods. – shivams May 05 '20 at 14:49
  • 1
    Even if you read the script first, you are not safe: https://www.infosecmatter.com/terminal-escape-injection/ I have also seen studies where the server can tell the difference between just downloading a file or piping it to something, and serving different content in each case. – multithr3at3d May 05 '20 at 15:09
  • Leveraging the User as a privilege escalation is probably the most prevalent exploit since forever and likely will continue to be so. – user10216038 May 05 '20 at 15:16
  • 1
    I don't think there's a solution to this problem. It would be incredibly complex to write a piece of software that would read a script (or piece of code) and work out whether it had malicious intentions or stuck to doing what the devs intended -- which could involve privileged operations. You need to read and understand the code unfortunately. – Pedro May 05 '20 at 16:15

0 Answers0